Security
ACL Rule Summary
Cisco IOS processes the Access Control Entries (ACEs) of an ACL sequentially, either permitting
or abstinent a packet based on the aboriginal ACE akin by that packet in the ACL. For an individual
ACE, all the configured ethics charge bout afore the ACE is advised a match. Table 18-8 lists
several examples of called IP ACL admittance and abjure commands that actualize an alone ACE,
along with their meanings.
The Anchorage Cardinal acreage is alone matchable back the agreement blazon in an continued IP ACL ACE is
UDP or TCP. In these cases, the anchorage cardinal is positional in that the antecedent anchorage matching
parameter occurs appropriate afterwards the antecedent IP address, and the destination anchorage constant occurs right
after the destination IP address. Several examples were included in Table 18-8. Table 18-9
summarizes the analogous argumentation acclimated to bout UDP and TCP ports.
Table 18-8 Examples of ACL ACE Argumentation and Syntax
Access Account Statement What It Matches
deny ip any host 10.1.1.1 IP packets with any antecedent IP and destination
IP = 10.1.1.1 only.
deny tcp any gt 1023 host 10.1.1.1 eq 23 IP packets with a TCP header, with any antecedent IP, a
source TCP anchorage greater than (gt) 1023, additional a destination
IP of 10.1.1.1, and a destination TCP anchorage of 23.
deny tcp any host 10.1.1.1 eq 23 Same as antecedent archetype except that any antecedent port
matches, as that constant was omitted.
deny tcp any host 10.1.1.1 eq telnet Same after-effects as the antecedent example; the syntax uses
the telnet keyword instead of anchorage 23.
deny udp 1.0.0.0 0.255.255.255 lt 1023 any A packet with a antecedent abode in arrangement 1.0.0.0/8,
using UDP with a antecedent anchorage beneath than 1023, with any
destination IP address.
Table 18-9 IP ACE Anchorage Matching
Keyword Meaning
gt Greater than
lt Beneath than
eq Equals
ne Not equal
range x-y Ambit of anchorage numbers, inclusive
Layer 3 Security 675
ICMP does not use anchorage numbers, but it does accommodate altered bulletin types, and some of those
even accommodate a added bulletin code. The IP ACL commands acquiesce these to be akin application a
rather continued account of keywords, or with the numeric bulletin blazon and bulletin code. Note that these
parameters are additionally positional, afterward the destination IP address. For example, the called ACL
command admittance icmp any any echo-reply is correct, but the command admittance icmp any echoreply
any is syntactically incorrect and would be rejected.
Several added ambit can additionally be checked. For example, the IP antecedence $.25 can be checked,
as able-bodied as the absolute ToS byte. The accustomed constant matches if the TCP attack has the ACK
flag set—indicative of any TCP articulation except the aboriginal articulation of a new affiliation setup. (The
established keyword will be acclimated in an archetype after in the chapter.) Also, the log and log-input
keywords can be acclimated to acquaint Cisco IOS to accomplish alternate log letters back the ACE is
matched—one bulletin on antecedent match, and one every 5 account afterwards. The log-input
option includes added advice than the log option, accurately advice about the incoming
interface of the packet that akin the ACE.
For ACL configuration, several facts charge to be kept in mind. First, accepted ACLs can alone match
the antecedent IP abode field. Numbered accepted ACLs are articular with ACL numbers of either
1–99 or 1300–1999, inclusive. Continued numbered IP ACLs ambit from 100–199 and 2000–2699,
again inclusive. Additionally, anew configured ACEs in numbered IP ACLs are consistently added at
the end of the absolute ACL, and ACEs in numbered IP ACLs cannot be deleted one at a time. As
a result, to admit a band into the average of a numbered ACL, the absolute numbered ACL may need
to be deleted (using the no access-list cardinal all-around command) and again reconfigured. Named
ACLs affected that botheration by application an adumbrated or absolute arrangement number, with Cisco IOS
listing and processing the ACEs in an ACL in arrangement cardinal order.
Wildcard Masks
ACEs use wildcard masks (WC masks) to ascertain the allocation of the IP abode that should be examined.
WC masks represent a 32-bit number, with the mask’s 0 $.25 cogent Cisco IOS that those corresponding
bits in the IP abode charge be compared back assuming the analogous logic. The bifold 1s in the WC
mask acquaint Cisco IOS that those $.25 do not charge to be compared; as a result, these $.25 are generally called
“don’t care” bits. Table 18-10 lists several archetype WC masks, and the adumbrated meanings.
Table 18-10 Sample Access Account Wildcard Masks
Wildcard Affectation Description
0.0.0.0 The absolute IP abode charge match.
0.0.0.255 Just the aboriginal 24 $.25 charge match.
0.0.255.255 Just the aboriginal 16 $.25 charge match.
0.255.255.255 Just the aboriginal 8 $.25 charge match.
continues
Sample Access Account Wildcard Masks
Wildcard Affectation Description
255.255.255.255 Automatically advised to bout because all 32 $.25 are “don’t care” bits.
0.0.15.255 Just the aboriginal 20 $.25 charge match.
0.0.3.255 Just the aboriginal 22 $.25 charge match.
17.44.97.33 A accurate WC mask, it agency bout all $.25 except $.25 4, 8, 11, 13, 14, 18,
19, 24, 27, and 32.
That aftermost access is absurd to be advantageous in an absolute assembly network, but clashing IP subnet masks,
the WC affectation does not accept to account a distinct ceaseless set of 0s and addition ceaseless cord of 1s.
A abundant added acceptable WC affectation is one that matches a accurate affectation or prefix length. To acquisition a WC
mask to bout hosts in a accepted prefix, use the afterward simple math: in decimal, decrease the
subnet affectation from 255.255.255.255. The aftereffect is the “right” WC affectation to bout that prefix length.
For instance, a subnet affectation of 255.255.255.0, subtracted from 255.255.255.255, gives you
0.0.0.255 as a WC mask. This affectation alone checks the aboriginal 24 bits—which in this case is the network
and subnet allotment of the address. Similarly, if the subnet affectation is 255.255.240.0, adding from
255.255.255.255 gives you 0.0.15.255.